Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Hundreds of Android applications on the Google Play store have a security flaw that lets attackers take control of the devices on which they are installed to enable them to steal data or install malware.

Vulnerable applications include some that have been downloaded between 10 and 50 million times and at least one that comes pre-installed on Android smartphones.

Those are the findings of researches at the University of Michigan, Ann Arbor who examined thousands of Android applications for their susceptibility to attacks via open ports.

An ‘open port’, as the researchers noted in a just released technical report on their findings, is a communication interface that is typically used by server applications to receive requests from remote clients.

Improperly secured ports have long been a security issue for IT organizations responsible for protecting networks and mobile devices because they provide a way for attackers to gain access to systems and data. Some of the most widespread attacks in recent years—including attacks exploiting the Heartbleed flaw—were enabled via open ports, they noted. Numerous tools are available that allow almost anyone to scan the network for computers with open ports that can be exploited.

The security implications of open ports are well understood in the server context, but have not been explored adequately in the mobile context, the researchers said in the paper.

Though smartphone operating systems such as Android incorporate support for open ports, there is little understanding among the security community about how and why mobile applications use them, the researchers said.

To understand the issue a little better, the researchers developed a tool they dubbed OPAnalyzer to identify open port usage in Android applications. The researchers used OpAnalyzer on more than 24,000 Android apps in Google Play, including some of the most popular ones in the app store.

The exercise revealed that 1,632 Android apps or about 6.8 percent of the total have open port functionality. About half of these applications had more than 500,000 downloads. The apps used open ports for several reasons including data sharing, text messaging, Voice over IP calls, remote execution and to share files between devices in close proximity to each other.

The researchers used their OPAnalyzer tool to check what kind of security controls and constraint mechanisms mobile app developers have incorporated into their applications in order to protect port usage. The researchers looked for applications with weak controls and those that leave ports open by default or had no mechanism for controlling access to the port by rogue services.

The analysis showed some 410 applications to be vulnerable to attacks via they used open ports. In total, they discovered 956 potential exploits that could be used against the vulnerabilities.

“The exploits can lead to a large number of severe security and privacy breaches,” the researchers said. They give attackers a way to remotely install malware and to steal sensitive data from devices including security credentials, location data, contacts and photos.

The researchers said they had reported their discoveries to many app developers, some of whom have already fixed the problem. In addition, the researchers have also proposed countermeasures the developers can take to make port usage safer on their applications.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.